A Virtual Private Network (VPN) is a computer network that uses a public network, such as the Internet, for the transport of private data. Subscribers to a VPN can exchange data as in an internal local network (Local Area Network; LAN). The individual subscribers themselves do not have to be directly connected thereto. The connection via the public network is usually encrypted. A connection between a subscriber who is using what is known as a VPN client and his home network, which makes available what is known as a VPN server, is facilitated via a tunnel between the VPN client and the VPN server. In most cases the tunnel is then secured, but even an unsecured clear text tunnel can be used to connect a VPN client to a VPN server.
A VPN may, among other things, serves the purpose of providing employees who are away from an organization or a business with access to the internal network. To do so, the employee's computer establishes a VPN connection with a VPN gateway operated by the business. It is then possible for the employee to work via this connection as if he were working in the business's local area network.
In order to be able to facilitate secure transmission of data in VPNs, special protocols are required. A set of such protocols is known in combination as IP security (IPsec). This includes, among other things, the Internet Key Exchange Version 2 (IKEv2) protocol, which is responsible for generating the keys that are required by the cryptographic mechanisms for other protocols, too. A tunnel set up using IPsec for a VPN connection is also referred to as an IPsec tunnel. The Mobile Internet Key Exchange protocol (MOBIKE protocol) is an extension of the IKEv2 that is included in IPsec, allowing the VPN client to change its point of attachment to the network without the thus ensuing change in its Internet protocol (IP) address resulting in its VPN session having to be established once again.
In a typical VPN scenario, a VPN client and a VPN gateway exchange data via an IPsec tunnel. If the VPN client is a mobile node (MN), for example, a laptop, a palmtop, a Personal Digital Assistant (PDA) or suchlike, and if said node changes its Internet point of attachment, then its IP address also changes. The MOBIKE protocol specifies how said change of address can be handled effectively in the VPN scenario. If the MN has initiated a Next Steps In Signaling (NSIS) session for this tunnel, the state of all NSIS-enabled nodes that are taking part in signaling along the path of the tunnel then has to be updated when there is a change in the point of attachment, in order to be able to follow the change in the IP address of the MN. This process involves an overhead that becomes greater the more often the MN changes its point of attachment. Furthermore, an additional waste of resources can occur if the aforementioned NSIS nodes have reserved resources for the data stream through the IPsec tunnel. Such reservations of resources, such as transmission speed, bandwidth and suchlike are made, for example, where the signaling is a Quality of Service (QoS) signaling, for example, the QoS NSLP (Quality of Service NSIS Signaling Layer Protocol) created by the NSIS working group. The aforementioned waste of resources occurs because, in the interval between the change of address and the aforementioned update of the state, the resources that have been reserved are not available either to the data stream in the IPsec tunnel, or elsewhere. This likewise means that the data stream cannot make use of the resources reserved for its use until all the NSIS nodes along the path have been updated. This again means that initially agreed QoS guarantees cannot be upheld. The user becomes aware thereof because the transmission speed, for example, is clearly slower.
There are no solutions known from the related art that allow an optimization of the NSIS signaling when there is a change in the point of attachment for the MN in MOBIKE environments. The reports produced by the NSIS working group describe only the basic methods for using NSIS signaling protocols in mobile scenarios. These methods require the MN to send signaling messages whenever its IP address changes. The purpose of these messages is to update the states of the NSIS nodes involved in the signaling session with the current IP address of the MN.